Enterprises today need to invest heavily on the ecosystem side by using API security testing and protection technologies as part of their development processes. The Microsoft stack — which includes VS Code, GitHub, Azure DevOps, and Azure Kubernetes Services -- is one development environment where such considerations are paramount. Because of this, I recently reached out to Dmitry Sotnikov, the chief product officer of 42Crunch, to gain some insight from him on what’s involved in implementing end-to-end API security in Microsoft stack. Dmitry is also an 11-time recipient of the Microsoft MVP (Most Valuable Professional) award and he curates APIsecurity.io, a community website for all things related to API security. Let’s tighten our thinking caps as we listen to what Dmitry says on this subject.
API security is rapidly becoming a mandatory part of your cybersecurity best practices to combat a new and growing threat: APIs are proliferating (according to Akamai, 83 percent of all web traffic is now API traffic) due to the wide adoption of mobile apps, rich web applications, smart devices, and microservices architectures.
Thanks to the modern microservices architectures, individual application components also use APIs to communicate. Combined with the use of cloud services, this radically expands the attack surface compared to traditional web application user interfaces.
Gartner estimates that by 2021, exposed APIs will form a larger attack surface than UIs for 90 percent of web-enabled applications. This trajectory made Gartner predict that by 2022, APIs are going to become the No. 1 attack vector.
In today’s world of companies exposing hundreds (if not thousands) of APIs in the systems they build and maintain, how do you make sure that all the APIs that you develop and run follow modern security best practices?
If you are a Microsoft shop, we have some good news for you.
Not only is Microsoft one of the key participants of the Linux Foundation OpenAPI Initiative that’s maintaining the industry-standard REST API contract format, OpenAPI Specification, Microsoft now has partner extensions from API security specialist 42Crunch across its key development and runtime platforms.
Three steps to API security
Let’s see how they work in three main components of the Microsoft cloud R&D stack:
- Visual Studio Code for API development
- Azure DevOps pipelines for API discovery and testing
- Azure Kubernetes Service for API protection
Step 1 — VS Code: API design and development
Microsoft Visual Studio Code (commonly referred to as VS Code) is an open-source (!) developer environment (IDE) from Microsoft. Released in just 2015, it has quickly become the No. 1 IDE for modern software development.
Part of VS Code popularity is in its flourishing extension marketplace. With thousands of plugins for a variety of programming languages and technology, it can satisfy any R&D need.
The popular OpenAPI (Swagger) Editor extension provides first-class API creation and editing capabilities to the IDE with templates, contract navigation, intellisense, and code snippets:
Moreover, a security audit of the API is just a click away. Click the 42C button at the top right, and get more than 200 different security best practices checks run against the API definition covering authentication, authorization, transport, and data validation.
For each issue, you get detailed information on the possible exploit scenario and recommended way to fix the security issue.
Step 2 — Azure DevOps: Testing and DevSecOps
While VS Code is a great tool for personal developer productivity, Azure DevOps pipelines can take your processes to the next level. This is Microsoft’s implementation of continuous integration / continuous deployment (CI/CD) technology.
The pipeline takes your complete code repository, runs the tests you add to it, and, if successful, pushes the changes to your runtime environment.
The steps in the pipeline are configurable, and one of the extensions is 42Crunch REST API Static Security Testing.
Add it to the pipeline, specify the success criteria (as the overall security score threshold or a set of more granular requirements) and get some peace of mind for API security in your company.
The extension automatically finds any REST API definitions in your repository, runs the security audit checks for them, and gives detailed reports as a result. This means that no new API or API change can get deployed to your systems without automated security scrutiny.
Step 3 — Azure Kubernetes Service: Runtime protection
Finally, when your API implementation is ready for the prime time, you get it deployed — and chances are that your API becomes a microservice running in Azure Kubernetes Services (AKS).
With your API contract already checked and locked down in previous steps, now you can use it as an allow-list policy preventing any calls that do not conform to the API definition to ever get to your API code.
To do this, simply configure AKS to protect the microservice with 42Crunch API Firewall.
The firewall gets deployed in the same pod as each microservice, thus providing the protection with 0 network overhead. The firewall reads the API contract and provides effective real-time protection for the API that the microservice exposes.
API security: Microsoft stack to the rescue
APIs have become the primary attack surface for modern cloud-native applications. Luckily, well-defined, well-tested, and well-protected APIs are well equipped to withstand the attacks, and Microsoft stack comes with components to provide that.
Where to learn more about API security
You can learn more about these components by following these links:
- 42Crunch OpenAPI (Swagger) Editor for VS Code
- 42Crunch REST API Static Security Testing Extension
- 42Crunch API Firewall Container for Azure Pipelines
Be sure you also visit APIsecurity.io for API security news and more information about the current API security tooling, standards, and best practices.
Featured image: Shutterstock